3.1.7 Internal IT Audit
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
IT Audit should be conducted in accordance with generally accepted auditing standards and relevant Saudi Central Bank framework (s) to verify that the IT control design is adequately implemented and operating as intended.
Control Requirements
| 1. | IT audits should be performed independently and according to generally accepted auditing standards and relevant Saudi Central Bank frameworks. | |
| 2. | The Member Organizations should establish an audit cycle that determines the frequency of IT audits. | |
| 3. | Member Organizations should develop formal IT audit plan addressing people, process and technology components. | |
| 4. | IT audit plan should be approved by the Member Organization's audit committee. | |
| 5. | The frequency of IT audit should be aligned with the criticality and risk of the IT system or process. | |
| 6. | A follow-up process for IT audit observations should be established to track and monitor IT audit observations. | |
| 7. | Member Organizations should ensure that the IT auditors have the requisite level of competencies and skills to effectively assess and evaluate the adequacy of IT policies, procedures, processes and controls implemented. | |
| 8. | IT audit report, at a minimum, should: | |
| a. | include the findings, recommendations, management's response with defined action plan, and responsible party and limitations in scope with respect to the IT audits; | |
| b. | signed, dated and distributed according to the format defined; and | |
| c. | submitted to the audit committee on periodical basis. | |